Versions Compared

Old Version 4

changes.mady.by.user Andreas Ulm

Saved on

compared with

New Version Current

changes.mady.by.user Steffen Drya

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt
hiddentrue

MFA is a simple best practice that adds an extra layer of protection on top of your existing OpenSSH key. With MFA enabled, when a user connects to bastion-host, they will be validated by their key pair (the first factor - what they know) as well as for an authentication response from their MFA device (the second factor - what they have).

What is Multi-Factor-Authentication

MFA is a simple best practice that adds an extra layer of protection on top of your existing OpenSSH key. See Access an environment via OpenSSH or Putty

With MFA enabled, when a user connects to bastion-host, they will be validated by their key pair (the first factor - what they know) as well as for an authentication response from their MFA device (the second factor - what they have). Taken together, these multiple factors provide increased security for your environment.

Preconditions

General process

Currently MFA is disabled by default.

When MFA is enabled by root360, MFA is enforced for all users incl. root360 customer service staff and project users. Exceptions are not supported. You need to cross-check with your CI/CD integration to ensure your processes are not disrupted.

Following steps are required to enable full MFA support environment access:

  1. check and accept preconditions

  2. request activation of MFA

  3. activate MFA

Preconditions for MFA

  • BatchMode must be disabled in your SSH client (see https://linux.die.net/man/1/ssh)

  • MFA token has to be (re-)generate on each provisioning of bastion host instance (e.g. rebuilt of the host)

Request activation of MFA

Request activation of MFA for a dedicated environment via change request at https://support.root360.cloud.

Activate MFA (only required for SSH)

As soon as MFA is enforced, SSH login will not work anymore. You may see following message

Code Block
languagebash
MFA required, please check our documentation https://faq.root360.cloud/564625495/How+to+activate+MFA+Multi-Factor-Authentication+for+SSH
 
[projectuser]@[bastionhostIP]: Permission denied (keyboard-interactive).

To activate MFA you have to login to the bastion-host of your environment to port 222 and follow the instructions:

Code Block
$ ssh -p 222 [projectuser]@[bastionhostIP]

You may scan QR code or use verification secret and add it to you virtual device MFA.

Supported Methods

At the moment For SSH access we support virtual device MFA with TOTP. You may use compatible apps like "Google Authenticator" or "Authy" to manage your virtual MFA.

For OpenVPN we support authentication with your Dashboard (root360) password.

Note

Each virtual MFA device assigned to a user must be unique. A user cannot type a code from another user's virtual MFA device to authenticate.

Related tutorials

Filter by label (Content by label)
showLabelsfalse
max10
sorttitle
showSpacefalse
cqllabel in ( "ssh" , "mfa" , "access" ) and ancestor = "2014352487" and space = currentSpace ( )

Related Components

Filter by label (Content by label)
showLabelsfalse
max10
sorttitle
showSpacefalse
cqllabel in ( "ssh" , "security" , "mfa" , "access" ) and ancestor = "2014350220" and space = currentSpace ( )

Status
colourYellow
titleintermediate

Table of Contents
exclude(Related * | Recommended * |Table of contents).*

Filter by label (Content by label)
showLabelsfalse
max10
sorttitle
showSpacefalse
titleRelated questions
cqllabel in ( "ssh" , "security" , "mfa" , "access" ) and ancestor = "2014351598" and space = currentSpace ( )